Description
School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data.
Published: 2026-05-02
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Zyosoft School App contains an insecure direct object reference flaw that lets authenticated, remote attackers change a request parameter to read or rewrite data belonging to other students, teachers, or administrators. This weakness, identified as CWE‑639, indicates that the app does not enforce proper ownership checks before allowing access to user data. Consequently, an attacker can compromise the confidentiality and integrity of the platform’s personal records, leading to potential privacy violations and manipulation of academic data.

Affected Systems

All earlier releases of Zyosoft School App for Android and iOS are affected. Versions prior to 1.1.62 on Android or 2.7.2 on iOS do not contain the necessary authorization checks and remain vulnerable. Users should verify that their mobile application is at least these minimum versions to mitigate the risk.

Risk and Exploitability

With a CVSS score of 8.6, the vulnerability poses a high risk for compromised accounts. The EPSS score is not available, but the lack of a CISA KEV listing suggests no widely known public exploits yet. Attackers would need authenticated access, typically provided by a valid user account or through credential compromise. Once authenticated, the attacker can modify request parameters to reference other users’ identifiers, bypassing intended access controls and illicitly reading or updating their data.

Generated by OpenCVE AI on May 2, 2026 at 11:57 UTC.

Remediation

Vendor Solution

Update School App (Android) to version 1.1.62 or later Update School App (iOS) to version 2.7.2 or later

OpenCVE Recommended Actions

  • Update the Android edition of School App to version 1.1.62 or later
  • Update the iOS edition of School App to version 2.7.2 or later
  • Reinforce the application code to verify object ownership and user authorization before processing any read or write requests

Generated by OpenCVE AI on May 2, 2026 at 11:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 02 May 2026 09:30:00 +0000

Type Values Removed Values Added
Description School App developed by Zyosoft has an Insecure Direct Object Reference vulnerability, allowing authenticated remote attackers to modify a specific parameter to read and modify other users' data.
Title Zyosoft|School App - Insecure Direct Object Reference
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-05-02T09:14:25.760Z

Reserved: 2026-04-30T09:01:07.205Z

Link: CVE-2026-7491

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-02T10:16:19.107

Modified: 2026-05-02T10:16:19.107

Link: CVE-2026-7491

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T12:00:14Z

Weaknesses